Blog General Infosec

New Draft Rule on Ransomware Payments and Cyber Incident Reporting


In 2022, Congress passed the “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) see 6 USC  681 et. seq.,  Most provisions of that act have been on hold pending agency rulemaking. The Cybersecurity and Infrastructure Security Agency (CISA), a part of the Department of Homeland Security (DHS), published a mammoth filing in the Federal Register on 4/4/2024.  

The public has the opportunity to comment on that filing through June 3rd as many businesses will be impacted by this rule. You may want to carefully review the shared comments on the draft rule. The reporting required by the rule will commence on a date to be set in the Final Rule, likely in around 18 months.

**Note that as of May 17, 2024, CISA has extended the deadline for comments to no later than July 3, 2024.

Some Points Worth Noting

We now want to highlight some particularly noteworthy sections, but please be advised that this is not legal advice, but a brief summary of some exceptionally complex material (we recommend reviewing the original Federal Register filing itself).

‘What’s the applicability of the act? That is, to whom does it apply? The Act talks about reporting for “critical infrastructure,” but what constitutes “critical infrastructure?” Is my business “critical infrastructure”?’

Check out § 226.2 When most people hear “critical infrastructure,” they probably think of areas such as the following (in alphabetical order):

  • Banking and Finance (including commercial and retail banking, credit cards, the stock markets, etc.)
  • Communications (regular and cellular telephone systems, the Internet, the post office, radio and TV, etc.)
  • Defense Department (the Army, Navy, Air Force, Marines, etc. and their bases and suppliers)
  • Emergency services (police, fire, and ambulance services)
  • Energy (such as gasoline production and distribution, electrical power plants and the electric power grid)
  • Food (production, processing and packaging, and distribution)
  • Healthcare (hospitals, pharmacies, and related infrastructure)
  • Transportation (including the Interstate highway system; key bridges, tunnels and ferries; ships and ports; commercial trucking; airlines and airports, etc.)
  • Water and water treatment services

You may be surprised to find out from the draft rule that CISA considers virtually all businesses to be part of “critical infrastructure” with only narrow exceptions.  Unless your business is eligible for one of a fairly small number of exclusions, you likely WILL be subject to CIRCIA cyber incident reporting requirements unless the finally adopted rule is changed.

“So, what sort of cyber incidents would need to be reported?”

This is currently surprisingly difficult to nail down. There are some examples included in the Federal Register filing, but those examples are notable for lacking objective “bright line” criteria. 

The draft rule at § 226.3) says that

  • “(a) Covered cyber incident. A covered entity that experiences a covered cyber incident must report the covered cyber incident to CISA in accordance with this part.
  • “(b) Ransom payment. A covered entity that makes a ransom payment, or has another entity make a ransom payment on the covered entity’s behalf, as the result of a ransomware attack against the covered entity must report the ransom payment to CISA in accordance with this part. [continues]

The question naturally then becomes, “OK, so what’s a covered cyber incident?” Checking the definitions in section § 226.1 , it says:

  • Covered cyber incident means a substantial cyber incident experienced by a covered entity.”

So, continuing to chase that rabbit down its hole, what’s a “substantial cyber incident?” The Fed Reg filing says:

  • Substantial cyber incident means a cyber incident that leads to any of the following:
  • (1) A substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network;
  • (2) A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
  • (3) A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services;
  • (4) Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a:
    • (i) Compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or
    • (ii) Supply chain compromise.
  • (5) A “substantial cyber incident” resulting in the impacts listed in paragraphs (1) through (3) in this definition includes any cyber incident regardless of cause, including, but not limited to, any of the above incidents caused by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.
  • (6) The term “substantial cyber incident” does not include:
    • (i) Any lawfully authorized activity of a United States Government entity or SLTT [e.g., State, Local, Territorial or Tribal] Government entity, including activities undertaken pursuant to a warrant or other judicial process;
    • (ii) Any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; or
    • (iii) The threat of disruption as extortion, as described in 6 U.S.C. 650(22).

But we’re still left wondering, for example, what constitutes a “substantial” loss of confidentiality, integrity or availability of a covered entity’s information system or network? There’s no regulatory “bright line standard” in the current draft rule. CISA states “Determinations as to whether a cyber incident qualifies as a substantial cyber incident would need to be made on a case-by-case basis considering the specific factual circumstances surrounding the incident. Note, CISA continues to encourage reporting or sharing of information about all cyber incidents, even if it would not be required under the proposed regulations.” 

In our opinion (obviously not binding on either CISA or you), a “substantial” cybersecurity incident would at least include:

  • Incidents resulting in coverage in the mass media (such as in a newspaper or television news reports)
  • Incidents where a company specializing in cyber security incident response is brought in to help
  • Any breach involving hundreds or more victims
  • Any cyber incidents involving losses of hundreds of thousands of dollars or more
  • Incidents of such importance that a (NON-small businesses) CEO or board of directors have been specifically informed about them.
  • Incidents where someone gets physically hurt badly enough to require medical attention (or dies)
  • Incidents involving unauthorized access to Federally-classified information
  • Incidents where the CISO or Deputy CISO loses their job as a result.
“How does the rule expect companies to make the required reports? What has to be in the reports, and how long will it take to file one? How much time (after an incident is detected or a ransom is paid) do I have to make the required reports?”

The draft rule initially envisions CISA reports being submitted via a “web-based CIRCIA Incident Reporting Form available on CISA’s website or in any other manner and form of reporting approved by the Director.” 

CISA states in the filing that “CISA estimates that both Covered Cyber Incident and Ransom Payment Reports would take three hours to complete, a Joint Covered Cyber Incident and Ransom Payment Report would take 4.25 hours to complete, and a Supplemental Report would take 7.5 hours to complete.” 

The specific items of information that must be provided are numerous, as described at § 226.7-§ 226.11.
Ransom payment reports need to be filed within 24 hours. Other reports generally have a 72 hour window.

“What happens if we don’t file the required reports?”

An enforcement process is described in the draft rule. See § 226.14-§ 226.17 and § 226.20(a),

“Once I file the required report (and any required supplemental reports), is that it? Or is there more?”

There’s more. Data and records must also be preserved for no less than two years.

It is expected that the information to be preserved may average around 4TB of data per incident (see footnote 415 in the Fed Reg filing).

“Does CIRCIA replace any other reporting I might have previously had to make?”

In most cases, at least for now, you’ll still need to make the other filings, too. See § 226.4 and the Federal Register filing for details.

“I’d like to read what some others are saying about CIRCIA — have any attorneys or other organizations published discussions about it?”

Be sure to focus on reports covering the current rule making (e.g., you may also encounter some older articles from 2022 or 2023). Some of the commentaries on the current rule making that we’ve seen have included the following (items ordered according to the base domain of their URL):